def check(self):
super(zstack_kvm_sg_tcp_ingress_checker, self).check()
all_ports = port_header.all_ports
test_result = True
test_util.test_dsc('Check TCP ingress rules')
nic = test_lib.lib_get_nic_by_uuid(self.nic_uuid)
l3_uuid = nic.l3NetworkUuid
if not 'DHCP' in test_lib.lib_get_l3_service_type(l3_uuid):
test_util.test_logger("Skip SG test for [l3:] %s. Since it doesn't provide DHCP service, there isn't stable IP address for testint." % l3_uuid)
return self.judge(self.exp_result)
stub_vm = self.test_obj.get_stub_vm(l3_uuid)
if not stub_vm:
test_util.test_warn('Did not find test stub vm for [nic:] %s. Skip TCP ingress port checking for this nic.' % self.nic_uuid)
return self.judge(self.exp_result)
stub_vm = stub_vm.vm
stub_vm_ip = test_lib.lib_get_vm_nic_by_l3(stub_vm, l3_uuid).ip
target_addr = '%s/32' % stub_vm_ip
rules = self.test_obj.get_nic_tcp_ingress_rule_by_addr(self.nic_uuid, target_addr)
allowed_ports = []
for rule in rules:
rule_allowed_ports = port_header.get_ports(port_header.get_port_rule(rule.startPort))
test_util.test_logger('[SG:] %s [ingress rule]: %s allow to access [nic:] %s [ports]: %s from [vm:] %s' % (rule.securityGroupUuid, rule.uuid, self.nic_uuid, rule_allowed_ports, stub_vm.uuid))
for port in rule_allowed_ports:
if not port in allowed_ports:
allowed_ports.append(port)
if not allowed_ports:
#If no allowed port, it means all denied.
denied_ports = list(all_ports)
else:
denied_ports = list_ops.list_minus(all_ports, allowed_ports)
test_vm = test_lib.lib_get_vm_by_nic(nic.uuid)
if test_vm.state == inventory.RUNNING:
try:
test_lib.lib_open_vm_listen_ports(test_vm, all_ports, l3_uuid)
test_lib.lib_check_vm_ports_in_a_command(stub_vm, test_vm, allowed_ports, denied_ports)
except:
traceback.print_exc(file=sys.stdout)
test_util.test_logger('Check result: [Security Group] meets failure when checking TCP ingress rule for [vm:] %s [nic:] %s. ' % (test_vm.uuid, self.nic_uuid))
test_result = False
else:
test_util.test_warn('Test [vm:] %s is not running. Skip SG TCP ingress connection checker for this vm.' % test_vm.uuid)
test_util.test_logger('Check result: [Security Group] finishes TCP ingress testing for [nic:] %s' % self.nic_uuid)
print_iptables(test_vm)
return self.judge(test_result)
def check(self):
super(zstack_vcenter_sg_tcp_ingress_checker, self).check()
all_ports = port_header.all_ports
test_result = True
test_util.test_dsc('Check TCP ingress rules')
nic = test_lib.lib_get_nic_by_uuid(self.nic_uuid)
l3_uuid = nic.l3NetworkUuid
if not 'DHCP' in test_lib.lib_get_l3_service_type(l3_uuid):
test_util.test_logger("Skip SG test for [l3:] %s. Since it doesn't provide DHCP service, there isn't stable IP address for testint." % l3_uuid)
return self.judge(self.exp_result)
stub_vm = self.test_obj.get_stub_vm(l3_uuid)
if not stub_vm:
test_util.test_warn('Did not find test stub vm for [nic:] %s. Skip TCP ingress port checking for this nic.' % self.nic_uuid)
return self.judge(self.exp_result)
stub_vm = stub_vm.vm
stub_vm_ip = test_lib.lib_get_vm_nic_by_l3(stub_vm, l3_uuid).ip
target_addr = '%s/32' % stub_vm_ip
rules = self.test_obj.get_nic_tcp_ingress_rule_by_addr(self.nic_uuid, target_addr)
allowed_ports = []
for rule in rules:
rule_allowed_ports = port_header.get_ports(port_header.get_port_rule(rule.startPort))
test_util.test_logger('[SG:] %s [ingress rule]: %s allow to access [nic:] %s [ports]: %s from [vm:] %s' % (rule.securityGroupUuid, rule.uuid, self.nic_uuid, rule_allowed_ports, stub_vm.uuid))
for port in rule_allowed_ports:
if not port in allowed_ports:
allowed_ports.append(port)
if not allowed_ports:
#If no allowed port, it means all denied.
denied_ports = list(all_ports)
else:
denied_ports = list_ops.list_minus(all_ports, allowed_ports)
test_vm = test_lib.lib_get_vm_by_nic(nic.uuid)
if test_vm.state == inventory.RUNNING:
try:
test_lib.lib_open_vm_listen_ports(test_vm, all_ports, l3_uuid)
test_lib.lib_check_vm_ports_in_a_command(stub_vm, test_vm, allowed_ports, denied_ports)
except:
traceback.print_exc(file=sys.stdout)
test_util.test_logger('Check result: [Security Group] meets failure when checking TCP ingress rule for [vm:] %s [nic:] %s. ' % (test_vm.uuid, self.nic_uuid))
test_result = False
else:
test_util.test_warn('Test [vm:] %s is not running. Skip SG TCP ingress connection checker for this vm.' % test_vm.uuid)
test_util.test_logger('Check result: [Security Group] finishes TCP ingress testing for [nic:] %s' % self.nic_uuid)
print_iptables(test_vm)
return self.judge(test_result)
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
test_util.test_dsc(
"Create 3 VMs with vlan VR L3 network and using VR image.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm2)
vm3 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm3)
vm4 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm4)
vm5 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm5)
vm1.check()
vm2.check()
vm3.check()
vm4.check()
vm5.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg2 = test_stub.create_sg()
test_obj_dict.add_sg(sg2.security_group.uuid)
sg3 = test_stub.create_sg()
test_obj_dict.add_sg(sg3.security_group.uuid)
sg4 = test_stub.create_sg()
test_obj_dict.add_sg(sg4.security_group.uuid)
sg5 = test_stub.create_sg()
test_obj_dict.add_sg(sg5.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vr_internal_ip = test_lib.lib_find_vr_private_ip(vr_vm)
vm1_ip = vm1.vm.vmNics[0].ip
vm2_ip = vm2.vm.vmNics[0].ip
vm3_ip = vm3.vm.vmNics[0].ip
vm4_ip = vm4.vm.vmNics[0].ip
vm5_ip = vm5.vm.vmNics[0].ip
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
nic_uuid1 = vm1.vm.vmNics[0].uuid
nic_uuid2 = vm2.vm.vmNics[0].uuid
nic_uuid3 = vm3.vm.vmNics[0].uuid
nic_uuid4 = vm4.vm.vmNics[0].uuid
nic_uuid5 = vm5.vm.vmNics[0].uuid
vm1_nics = (nic_uuid1, vm1)
vm2_nics = (nic_uuid2, vm2)
vm3_nics = (nic_uuid3, vm3)
vm4_nics = (nic_uuid4, vm4)
vm5_nics = (nic_uuid5, vm5)
vm_group1_nics = [vm1_nics, vm2_nics]
vm_group2_nics = [vm3_nics, vm4_nics]
#vms_nics = vm_group1_nics + vm_group1_nics + [vm5_nics]
vms_nics = vm_group1_nics + vm_group2_nics
test_util.test_dsc("Open some ports in 5 VMs for testing.")
for vm in vm1, vm2, vm3, vm4, vm5:
test_lib.lib_open_vm_listen_ports(vm.vm, test_stub.target_ports)
rule_ai1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP,
inventory.INGRESS, vr_internal_ip)
rule_ae1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP,
inventory.EGRESS, vm5_ip)
rule_v3i_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.INGRESS, vm3_ip)
rule_v3e_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.EGRESS, vm3_ip)
rule_v3e_3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP,
inventory.EGRESS, vm3_ip)
rule_v3i_3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP,
inventory.INGRESS, vm3_ip)
rule_v4i_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.INGRESS, vm4_ip)
rule_v4e_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.EGRESS, vm4_ip)
rule_v1i_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.INGRESS, vm1_ip)
rule_v1e_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.EGRESS, vm1_ip)
rule_v2i_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.INGRESS, vm2_ip)
rule_v2e_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP,
inventory.EGRESS, vm2_ip)
rule_v1i_3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP,
inventory.INGRESS, vm1_ip)
rule_v1e_3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP,
inventory.EGRESS, vm1_ip)
sg1.add_rule([rule_ai1, rule_ae1])
sg2.add_rule([rule_v3i_2, rule_v4i_2, rule_v3e_2, rule_v4e_2])
sg3.add_rule([rule_v1i_2, rule_v2i_2, rule_v1e_2, rule_v2e_2])
sg4.add_rule([rule_v1i_3, rule_v1e_3])
sg5.add_rule([rule_v3e_3, rule_v3i_3])
sg_vm.add_stub_vm(l3_uuid, vm5)
sg_vm.check()
##add all vm1 vm2 vm3 vm4 vm5 to sg1.
test_util.test_dsc("Add all VMs to security group 1.")
test_util.test_dsc("Allowed ingress and egress [ports:] %s" %
test_stub.rule1_ports)
sg_vm.attach(sg1, vms_nics)
#add vm1 vm2 to SG2.
test_util.test_dsc("Add VM1 and VM2 to SG2.")
test_util.test_dsc("Allowed ingress [ports:] %s from VM3 and VM4" %
test_stub.rule2_ports)
test_util.test_dsc("Allowed egress [ports:] %s to VM3 and VM4" %
test_stub.rule2_ports)
test_util.test_dsc(
"Since VM1/VM2 are in same SG group, VM1/VM2 can connect rule2 ports :%s each other."
% test_stub.rule2_ports)
sg_vm.attach(sg2, vm_group1_nics)
sg_vm.check()
test_util.test_dsc(
"Since VM3/VM4 didn't open rule2 ports for VM1/VM2, VM1/VM2 can't connect to VM3/VM4 rule2 ports :%s."
% test_stub.rule2_ports)
test_lib.lib_check_vm_ports(
vm3.vm, vm1.vm, test_stub.rule1_ports,
(test_stub.rule2_ports + test_stub.rule3_ports +
test_stub.rule4_ports + test_stub.rule5_ports +
test_stub.denied_ports))
test_lib.lib_check_vm_ports(
vm3.vm, vm2.vm, test_stub.rule1_ports,
(test_stub.rule2_ports + test_stub.rule3_ports +
test_stub.rule4_ports + test_stub.rule5_ports +
test_stub.denied_ports))
test_lib.lib_check_vm_ports(
vm4.vm, vm1.vm, test_stub.rule1_ports,
(test_stub.rule2_ports + test_stub.rule3_ports +
test_stub.rule4_ports + test_stub.rule5_ports +
test_stub.denied_ports))
test_lib.lib_check_vm_ports(
vm4.vm, vm2.vm, test_stub.rule1_ports,
(test_stub.rule2_ports + test_stub.rule3_ports +
test_stub.rule4_ports + test_stub.rule5_ports +
test_stub.denied_ports))
test_lib.lib_check_vm_group_ports(
vm1.vm, [vm3.vm, vm4.vm], test_stub.rule1_ports,
(test_stub.rule2_ports + test_stub.rule3_ports +
test_stub.rule4_ports + test_stub.rule5_ports +
test_stub.denied_ports))
test_util.test_dsc("Add rule2 ports to VM3 and VM4.")
test_util.test_dsc("Allowed ingress [ports:] %s from VM1/VM2 to VM3/VM4" %
(test_stub.rule1_ports + test_stub.rule2_ports))
test_util.test_dsc("Allowed egress [ports:] %s to VM1 and VM2" %
test_stub.rule2_ports)
sg_vm.attach(sg3, vm_group2_nics)
test_lib.lib_check_vm_group_ports(
vm4.vm, [vm1.vm, vm2.vm],
(test_stub.rule1_ports + test_stub.rule2_ports),
(test_stub.rule3_ports + test_stub.rule4_ports +
test_stub.rule5_ports + test_stub.denied_ports))
test_lib.lib_check_vm_group_ports(
vm2.vm, [vm3.vm, vm4.vm],
(test_stub.rule1_ports + test_stub.rule2_ports),
(test_stub.rule3_ports + test_stub.rule4_ports +
test_stub.rule5_ports + test_stub.denied_ports))
sg_vm.check()
test_util.test_dsc("Add VM3 and VM4 to SG4.")
test_util.test_dsc("Allowed ingress/egress [ports:] %s for VM1" %
test_stub.rule3_ports)
test_util.test_dsc(
"But due to VM1 didn't open related ports, connection will be denied for [ports:] %s from VM1 to VM3 "
% test_stub.rule3_ports)
test_util.test_dsc(
"The enabled connections for VM1/VM3 are still [ports:] %s " %
(test_stub.rule1_ports + test_stub.rule2_ports))
sg_vm.attach(sg4, vm_group2_nics)
test_lib.lib_check_vm_ports(
vm1.vm, vm3.vm, (test_stub.rule1_ports + test_stub.rule2_ports),
(test_stub.rule3_ports + test_stub.rule4_ports +
test_stub.rule5_ports + test_stub.denied_ports))
test_util.test_dsc(
"As VM3/VM4 are in same SG group, rule1+rule2+rule3 [ports:] %s are opened between VM4 and VM3 "
% (test_stub.rule1_ports + test_stub.rule2_ports +
test_stub.rule3_ports))
sg_vm.check()
test_util.test_dsc("Add VM1 and VM2 to SG5.")
test_util.test_dsc("Allowed ingress/egress [ports:] %s for VM3" %
test_stub.rule3_ports)
test_util.test_dsc(
"Connection between VM1 and VM3, between VM1 and VM2, between VM3 and VM4 are enabled for [ports:] %s"
% (test_stub.rule1_ports + test_stub.rule2_ports +
test_stub.rule3_ports))
sg_vm.attach(sg5, vm_group1_nics)
test_lib.lib_check_vm_ports(
vm1.vm, vm3.vm, (test_stub.rule1_ports + test_stub.rule2_ports +
test_stub.rule3_ports),
(test_stub.rule4_ports + test_stub.rule5_ports +
test_stub.denied_ports))
test_lib.lib_check_vm_ports(
vm3.vm, vm1.vm, (test_stub.rule1_ports + test_stub.rule2_ports +
test_stub.rule3_ports),
(test_stub.rule4_ports + test_stub.rule5_ports +
test_stub.denied_ports))
test_lib.lib_check_vm_ports(
vm4.vm, vm3.vm, (test_stub.rule1_ports + test_stub.rule2_ports +
test_stub.rule3_ports),
(test_stub.rule4_ports + test_stub.rule5_ports +
test_stub.denied_ports))
test_util.test_dsc("Connection from VM2 to VM3 are enabled for [ports:]" %
(test_stub.rule1_ports + test_stub.rule2_ports +
test_stub.rule3_ports))
test_lib.lib_check_vm_ports(
vm2.vm, vm3.vm, (test_stub.rule1_ports + test_stub.rule2_ports),
(test_stub.rule3_ports + test_stub.rule4_ports +
test_stub.rule5_ports + test_stub.denied_ports))
test_lib.lib_check_vm_ports(
vm4.vm, vm2.vm, (test_stub.rule1_ports + test_stub.rule2_ports),
(test_stub.rule3_ports + test_stub.rule4_ports +
test_stub.rule5_ports + test_stub.denied_ports))
#test_util.test_dsc("VM5 was not granted with rule2 and rule3 ports, so only rule1 [ports:] %s are allowned to connect to other VMs." % test_stub.rule1_ports)
#test_lib.lib_check_vm_ports(vm5.vm, vm3.vm, test_stub.rule1_ports, (test_stub.rule2_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports + test_stub.denied_ports))
#clean up.
for sg in sg1, sg2, sg3, sg4, sg5:
sg_vm.delete_sg(sg)
test_obj_dict.rm_sg(sg.security_group.uuid)
for vm in vm1, vm2, vm3, vm4, vm5:
vm.destroy()
test_obj_dict.rm_vm(vm)
test_util.test_pass(
'Security Group Vlan VirtualRouter VM complex testing with 2 Groups 5 VMs Test Success'
)
def check(self):
'''
check will assume target vm only have 1 port forwarding VR.
So all vms PF rules are assigned to 1 VM nic.
'''
super(zstack_vcenter_pf_tcp_checker, self).check()
test_result = True
target_vm = self.test_obj.get_target_vm().vm
pf_rule = self.test_obj.get_port_forwarding()
vm_nic = test_lib.lib_get_nic_by_uuid(pf_rule.vmNicUuid)
all_ports = port_header.all_ports
#only open ports when VM is running.
if self.test_obj.get_target_vm().state == vm_header.RUNNING:
test_lib.lib_open_vm_listen_ports(target_vm, all_ports, vm_nic.l3NetworkUuid)
#consolidate rules for TCP/UDP/ICMP with different AllowedCidr
rule_port = port_header.get_port_rule(pf_rule.vipPortStart, pf_rule.vipPortEnd)
#check SG ingress limitation. Since SG rule will not consider vip as
#allowedCidr, if there is ingress limitation, the ingress PF connection
#will be blocked.
sg_tcp_ingress_flag = _sg_rule_exist(vm_nic, inventory.TCP, pf_rule)
allowedCidr = pf_rule.allowedCidr
allowed_vr_ip = allowedCidr.split('/')[0]
allowed_vr_vm = test_lib.lib_get_vm_by_ip(allowed_vr_ip)
vr_nic = test_lib.lib_get_nic_by_ip(allowed_vr_ip)
l3_uuid = vr_nic.l3NetworkUuid
allowed_vr_uuid_list = [allowed_vr_vm.uuid]
#target_vm's VRs should be excluded, otherwise the ip package will be routed to this VR directly.
pf_vm_vrs = test_lib.lib_find_vr_by_vm(target_vm)
for pf_vr in pf_vm_vrs:
allowed_vr_uuid_list.append(pf_vr.uuid)
denied_vr_vm = _find_denied_vr(target_vm.clusterUuid, l3_uuid, allowed_vr_uuid_list)
denied_vr_ip = test_lib.lib_find_vr_pub_ip(denied_vr_vm)
vip_uuid = pf_rule.vipUuid
cond = res_ops.gen_query_conditions('uuid', '=', vip_uuid)
vipIp = res_ops.query_resource(res_ops.VIP, cond)[0].ip
if sg_tcp_ingress_flag:
test_util.test_logger('SG TCP Ingress rule existence. PF TCP ingress rule will be blocked for [vm:] %s' % target_vm.uuid)
try:
test_lib.lib_check_ports_in_a_command(allowed_vr_vm, allowed_vr_ip, vipIp, [], all_ports, target_vm)
except:
test_util.test_logger("Catch failure when checking Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s, when SG rule exists. " % (pf_rule.uuid, target_vm.uuid))
test_result = False
if test_result != self.exp_result:
return self.judge(test_result)
else:
allowed_ports = port_header.get_ports(rule_port)
denied_ports = list_ops.list_minus(all_ports, allowed_ports)
try:
test_lib.lib_check_ports_in_a_command(allowed_vr_vm, allowed_vr_ip, vipIp, allowed_ports, denied_ports, target_vm)
except:
traceback.print_exc(file=sys.stdout)
test_util.test_logger("Catch failure when checking Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s " % (pf_rule.uuid, target_vm.uuid))
test_result = False
if test_result != self.exp_result:
return self.judge(test_result)
else:
test_util.test_logger("Checking pass for Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s " % (pf_rule.uuid, target_vm.uuid))
try:
test_lib.lib_check_ports_in_a_command(denied_vr_vm, denied_vr_ip, vipIp, [], all_ports, target_vm)
except:
traceback.print_exc(file=sys.stdout)
test_util.test_logger("Catch failure when checking Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s" % (pf_rule.uuid, target_vm.uuid))
test_result = False
if test_result != self.exp_result:
return self.judge(test_result)
else:
test_util.test_logger("Checking pass for Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s . All ports should be blocked. " % (pf_rule.uuid, target_vm.uuid))
test_util.test_logger('Check result: [Port Forwarding] finishes TCP testing for [vm:] %s [nic:] %s' % (target_vm.uuid, vm_nic.uuid))
return self.judge(test_result)
def check(self):
'''
check will assume target vm only have 1 port forwarding VR.
So all vms PF rules are assigned to 1 VM nic.
'''
super(zstack_kvm_pf_tcp_checker, self).check()
test_result = True
target_vm = self.test_obj.get_target_vm().vm
pf_rule = self.test_obj.get_port_forwarding()
vm_nic = test_lib.lib_get_nic_by_uuid(pf_rule.vmNicUuid)
all_ports = port_header.all_ports
#only open ports when VM is running.
if self.test_obj.get_target_vm().state == vm_header.RUNNING:
test_lib.lib_open_vm_listen_ports(target_vm, all_ports,
vm_nic.l3NetworkUuid)
#consolidate rules for TCP/UDP/ICMP with different AllowedCidr
rule_port = port_header.get_port_rule(pf_rule.vipPortStart,
pf_rule.vipPortEnd)
#check SG ingress limitation. Since SG rule will not consider vip as
#allowedCidr, if there is ingress limitation, the ingress PF connection
#will be blocked.
sg_tcp_ingress_flag = _sg_rule_exist(vm_nic, inventory.TCP, pf_rule)
allowedCidr = pf_rule.allowedCidr
allowed_vr_ip = allowedCidr.split('/')[0]
allowed_vr_vm = test_lib.lib_get_vm_by_ip(allowed_vr_ip)
vr_nic = test_lib.lib_get_nic_by_ip(allowed_vr_ip)
l3_uuid = vr_nic.l3NetworkUuid
allowed_vr_uuid_list = [allowed_vr_vm.uuid]
#target_vm's VRs should be excluded, otherwise the ip package will be routed to this VR directly.
pf_vm_vrs = test_lib.lib_find_vr_by_vm(target_vm)
for pf_vr in pf_vm_vrs:
allowed_vr_uuid_list.append(pf_vr.uuid)
denied_vr_vm = _find_denied_vr(target_vm.clusterUuid, l3_uuid,
allowed_vr_uuid_list)
denied_vr_ip = test_lib.lib_find_vr_pub_ip(denied_vr_vm)
vip_uuid = pf_rule.vipUuid
cond = res_ops.gen_query_conditions('uuid', '=', vip_uuid)
vipIp = res_ops.query_resource(res_ops.VIP, cond)[0].ip
if sg_tcp_ingress_flag:
test_util.test_logger(
'SG TCP Ingress rule existence. PF TCP ingress rule will be blocked for [vm:] %s'
% target_vm.uuid)
try:
test_lib.lib_check_ports_in_a_command(allowed_vr_vm,
allowed_vr_ip, vipIp, [],
all_ports, target_vm)
except:
test_util.test_logger(
"Catch failure when checking Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s, when SG rule exists. "
% (pf_rule.uuid, target_vm.uuid))
test_result = False
if test_result != self.exp_result:
return self.judge(test_result)
else:
allowed_ports = port_header.get_ports(rule_port)
denied_ports = list_ops.list_minus(all_ports, allowed_ports)
try:
test_lib.lib_check_ports_in_a_command(allowed_vr_vm,
allowed_vr_ip, vipIp,
allowed_ports,
denied_ports, target_vm)
except:
traceback.print_exc(file=sys.stdout)
test_util.test_logger(
"Catch failure when checking Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s "
% (pf_rule.uuid, target_vm.uuid))
test_result = False
if test_result != self.exp_result:
return self.judge(test_result)
else:
test_util.test_logger(
"Checking pass for Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s "
% (pf_rule.uuid, target_vm.uuid))
try:
test_lib.lib_check_ports_in_a_command(denied_vr_vm,
denied_vr_ip, vipIp, [],
all_ports, target_vm)
except:
traceback.print_exc(file=sys.stdout)
test_util.test_logger(
"Catch failure when checking Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s"
% (pf_rule.uuid, target_vm.uuid))
test_result = False
if test_result != self.exp_result:
return self.judge(test_result)
else:
test_util.test_logger(
"Checking pass for Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s . All ports should be blocked. "
% (pf_rule.uuid, target_vm.uuid))
test_util.test_logger(
'Check result: [Port Forwarding] finishes TCP testing for [vm:] %s [nic:] %s'
% (target_vm.uuid, vm_nic.uuid))
return self.judge(test_result)
def check(self):
super(pf_checker, self).check()
test_result = True
try:
test_vip = test_lib.lib_get_vip_by_uuid(self.test_obj.get_vip().uuid)
except:
test_util.test_logger('Check Result: [vip:] %s is not exist' % self.test_obj.get_vip().uuid)
self.test_obj.update()
return self.judge(False)
if not self.test_obj.get_pf_list():
test_util.test_logger('Check Result: [vip:] %s is not attached to any pf.' % self.test_obj.get_vip().uuid)
self.test_obj.update()
return self.judge(False)
vip = self.test_obj.get_vip()
vipIp = vip.ip
all_ports = port_header.all_ports
pf_running_list = self.test_obj.get_pf_list_for_running_vm()
pf_tcp_list, pf_udp_list = self.separate_tcp_udp_list(pf_running_list)
pf_tcp_dict = self.gen_tcp_dict_by_allowed_cidr(pf_tcp_list)
pf_stopped_list = self.test_obj.get_pf_list_for_stopped_vm()
pf_detached_list = self.test_obj.get_detached_pf_list()
vip_l3 = self.test_obj.get_vip().l3NetworkUuid
if not pf_running_list:
# all ports should be denied, since no living vm.
for pf in pf_stopped_list:
test_result = self.check_denied_pf(pf)
if test_result != self.exp_result:
return self.judge(test_result)
for pf in pf_detached_list:
test_result = self.check_denied_pf(pf)
if test_result != self.exp_result:
return self.judge(test_result)
else:
#open TCP ports for living vms
for pf in pf_tcp_list:
target_vm = pf.get_target_vm().vm
vm_l3 = test_lib.lib_get_nic_by_uuid(pf.get_port_forwarding().vmNicUuid).l3NetworkUuid
test_lib.lib_open_vm_listen_ports(target_vm, all_ports, vm_l3)
#calc allowed ports, per allowed_cidr
for allowed_vr_ip, pf_dict_list in pf_tcp_dict.iteritems():
allowed_ports = []
denied_ports = all_ports
#find all pf rules on running vm. These rules are supposed to be connectable, unless they are blocked by target vm's sg.
allowed_ports, denied_ports = \
self.count_pf_allowed_denied_ports(
pf_dict_list,
allowed_ports,
denied_ports)
#although the target_vm might be different, but the denied_vr_vm should be same.
target_vm_nic_uuid = pf_dict_list[0].get_port_forwarding().vmNicUuid
allowed_vr_vm, denied_vr_vm = \
self.get_allowed_denied_vr_vm(allowed_vr_ip, target_vm_nic_uuid)
denied_vr_ip = test_lib.lib_find_vr_pub_ip(denied_vr_vm)
try:
test_lib.lib_check_ports_in_a_command(allowed_vr_vm, allowed_vr_ip, vipIp, allowed_ports, denied_ports, target_vm)
except:
traceback.print_exc(file=sys.stdout)
test_util.test_logger("Catch failure when checking [vip:] %s Port Forwarding TCP [rules] for allowed Cidr: %s from [vm:] %s . " % \
(vip.uuid, allowed_vr_ip, allowed_vr_vm.uuid))
test_result = False
if test_result != self.exp_result:
return self.judge(test_result)
if test_result != self.exp_result:
return self.judge(test_result)
test_util.test_logger("Checking pass for [vip:] %s Port Forwardings TCP rules for allowed Cidr: %s from [vm:] %s " % \
(vip.uuid, allowed_vr_ip, allowed_vr_vm.uuid))
#check denied vr access.
allowed_ports = []
denied_ports = all_ports
#the denied vr might be in other pf rule.
if denied_vr_ip in pf_tcp_dict.keys():
allowed_ports, denied_ports = \
self.count_pf_allowed_denied_ports(
pf_tcp_dict[denied_vr_ip],
allowed_ports,
denied_ports)
try:
test_lib.lib_check_ports_in_a_command(denied_vr_vm, denied_vr_ip, vipIp, allowed_ports, denied_ports, target_vm)
except:
traceback.print_exc(file=sys.stdout)
test_util.test_logger("Catch failure when checking [vip:] %s Port Forwarding TCPs for not allowed Cidr from [vm:] %s" % (vip.uuid, allowed_vr_vm.uuid))
test_result = False
if test_result != self.exp_result:
return self.judge(test_result)
test_util.test_logger("Checking pass for Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s . All ports should be blocked. " % (vip.uuid, allowed_vr_vm.uuid))
if test_result != self.exp_result:
return self.judge(test_result)
#check pf_udp rule existance.
for pf in pf_udp_list:
test_result = test_lib.lib_check_vm_pf_rule_exist_in_iptables(pf.get_port_forwarding())
test_util.test_logger('Check result: [Port Forwarding] %s finishes UDP rule existance testing' % pf.get_port_forwarding().uuid)
return self.judge(test_result)
test_util.test_logger('Check result: [Port Forwarding] finishes [vip:] %s TCP testing.' % vip.uuid)
return self.judge(test_result)
def check(self):
super(eip_checker, self).check()
try:
test_vip = test_lib.lib_get_vip_by_uuid(self.test_obj.get_vip().uuid)
except:
test_util.test_logger('Check Result: [vip:] %s does not exist' % self.test_obj.get_vip().uuid)
return self.judge(False)
vip = self.test_obj.get_vip()
vipIp = vip.ip
eip_obj = self.test_obj.get_eip()
eip = eip_obj.get_eip()
try:
test_eip = test_lib.lib_get_eip_by_uuid(eip.uuid)
except:
test_util.test_logger('Check Result: [eip:] %s does not exist' % eip.uuid)
return self.judge(False)
if eip_obj.state == eip_header.ATTACHED:
self.vm_nic_uuid = eip.vmNicUuid
self.get_all_available_vr_ip()
all_ports = port_header.all_ports
if not self.vm_nic_uuid:
#eip is not attached
self.set_random_denied_vr()
return self.judge(self.check_eip_denied_tcp())
else:
vm_nic = test_lib.lib_get_nic_by_uuid(self.vm_nic_uuid)
#only open ports when VM is running.
if eip_obj.get_target_vm().state == vm_header.RUNNING:
target_vm = eip_obj.get_target_vm().vm
test_lib.lib_open_vm_listen_ports(target_vm, all_ports, vm_nic.l3NetworkUuid)
else:
self.set_random_denied_vr()
return self.judge(self.check_eip_denied_tcp())
#make sure no any SG rule can impact eip testing.
sg_invs = test_lib.lib_get_sg_invs_by_nic_uuid(self.vm_nic_uuid)
test_result = self.exp_result
if not sg_invs:
#If no SG TCP rules for vm_nic, means all ports are connectable
self.set_random_allowed_vr()
self.denied_vr = None
self.denied_vr_ip = None
self.allowed_ports = all_ports
self.denied_ports = []
test_result = self.check_eip_allowed_tcp()
if test_result != self.exp_result:
return self.judge(test_result)
#if no icmp rule, means ping should be successful
test_result = self.check_eip_icmp(True)
if test_result != self.exp_result:
return self.judge(test_result)
else:
self.calc_sg_tcp_ports(sg_invs)
test_result = self.check_eip_allowed_tcp()
if test_result != self.exp_result:
return self.judge(test_result)
test_result = self.check_eip_denied_tcp()
if test_result != self.exp_result:
return self.judge(test_result)
test_util.test_logger('Checker Result for EIP checker: %s' % test_result)
return self.judge(test_result)
def check(self):
test_util.test_dsc('Check TCP access between SG VMs.')
super(zstack_kvm_sg_tcp_internal_vms_checker, self).check()
nic = test_lib.lib_get_nic_by_uuid(self.nic_uuid)
l3_uuid = nic.l3NetworkUuid
if not 'DHCP' in test_lib.lib_get_l3_service_type(l3_uuid):
test_util.test_logger("Skip SG test for [l3:] %s, since it doesn't provide DHCP service" % l3_uuid)
return self.judge(self.exp_result)
test_result = True
all_ports = port_header.all_ports
tcp_egress_rules = self.test_obj.get_nic_tcp_egress_rules(self.nic_uuid)
src_all_allowed_egress_ports = get_all_ports(tcp_egress_rules)
if not src_all_allowed_egress_ports:
src_all_allowed_egress_ports = list(all_ports)
#src_all_allowed_ingress_ports = get_all_ports(self.test_obj.get_nic_tcp_ingress_rules(self.nic_uuid))
#if not src_all_allowed_ingress_ports:
# src_all_allowed_ingress_ports = list(all_ports)
nic_sg_list = self.test_obj.get_sg_list_by_nic(self.nic_uuid)
src_vm = test_lib.lib_get_vm_by_nic(self.nic_uuid)
#save all shared sg for self.nic_uuid, the key was the other nic_uuid, who shared sg with self.nic_uuid
nic_shared_sg_dict = {}
#find all other nic shared with same sg.
for sg in nic_sg_list:
same_l3_nic_list = list(sg.get_attached_nics_by_l3(l3_uuid))
if len(same_l3_nic_list) == 1:
test_util.test_logger("Skip [SG:] %s, since there is not 2nd VM is attached in this SG." % sg.security_group.uuid)
continue
if self.nic_uuid in same_l3_nic_list:
same_l3_nic_list.remove(self.nic_uuid)
for nic_uuid in same_l3_nic_list:
if not nic_shared_sg_dict.has_key(nic_uuid):
nic_shared_sg_dict[nic_uuid] = [sg]
elif not sg in nic_shared_sg_dict[nic_uuid]:
nic_shared_sg_dict[nic_uuid].append(sg)
#for each shared sg nic to test.
for nic_uuid in nic_shared_sg_dict.keys():
dst_vm = test_lib.lib_get_vm_by_nic(nic_uuid)
if dst_vm.state != inventory.RUNNING:
test_util.test_logger("Skip [vm:] %s, since it is not running." % dst_vm.uuid)
continue
allowed_ingress_ports = []
allowed_egress_ports = []
#find out all shared SG ingress ports and egress ports
for sg in nic_shared_sg_dict[nic_uuid]:
sg_allowed_ingress_ports = \
get_all_ports(sg.get_tcp_ingress_all_rule())
for port in sg_allowed_ingress_ports:
if not port in allowed_ingress_ports:
allowed_ingress_ports.append(port)
sg_allowed_egress_ports = \
get_all_ports(sg.get_tcp_egress_all_rule())
if not sg_allowed_egress_ports:
sg_allowed_egress_ports = list(all_ports)
for port in sg_allowed_egress_ports:
if not port in allowed_egress_ports:
allowed_egress_ports.append(port)
#find out all not shared SG ingress and egress ports for target
src_vm_allowedCidr = '%s/32' % test_lib.lib_get_nic_by_uuid(self.nic_uuid).ip
dst_vm_allowedCidr = '%s/32' % test_lib.lib_get_nic_by_uuid(nic_uuid).ip
#query all other left SG rules, which might not shard between src_vm
#and dst_vm, but setting specifically for these two vms.
for in_port in get_all_ports(self.test_obj.get_nic_tcp_ingress_rule_by_addr(nic_uuid, src_vm_allowedCidr)):
if not in_port in allowed_ingress_ports:
allowed_ingress_ports.append(in_port)
for out_port in get_all_ports(self.test_obj.get_nic_tcp_egress_rule_by_addr(self.nic_uuid, dst_vm_allowedCidr)):
if not out_port in allowed_egress_ports:
allowed_egress_ports.append(out_port)
dst_all_allowed_ingress_ports = get_all_ports(self.test_obj.get_nic_tcp_ingress_rules(nic_uuid))
if not dst_all_allowed_ingress_ports:
test_util.test_logger('Destinated VM nic: %s does not allow any ingress rule, since it does not set any ingress rule' % nic_uuid)
continue
#if (not allowed_ingress_ports) \
# and (not dst_all_allowed_ingress_ports) \
# and (not self.test_obj.get_nic_udp_ingress_rules(nic_uuid)) \
# and (not self.test_obj.get_nic_icmp_ingress_rules(nic_uuid)):
#
# allowed_ingress_ports = list(all_ports)
#if not find suitable port, means all egress opened.
if (not src_all_allowed_egress_ports) \
and (not self.test_obj.get_nic_udp_egress_rules(nic_uuid)) \
and (not self.test_obj.get_nic_icmp_egress_rules(nic_uuid)):
allowed_egress_ports = list(all_ports)
if internal_sg_allow_all(self.nic_uuid, nic_uuid, 'Ingress'):
allowed_ingress_ports = all_ports
if internal_sg_allow_all(self.nic_uuid, nic_uuid, 'Egress'):
allowed_egress_ports = all_ports
shared_ports = get_shared_ports(allowed_egress_ports, \
allowed_ingress_ports)
not_shared_ports = list_ops.list_minus(all_ports, shared_ports)
test_lib.lib_open_vm_listen_ports(dst_vm, all_ports, l3_uuid)
try:
test_lib.lib_check_vm_ports(src_vm, dst_vm, shared_ports, \
not_shared_ports)
except:
traceback.print_exc(file=sys.stdout)
test_util.test_logger('Check result: [Security Group] meets failure when checking TCP Egress rule between [src_vm:] %s and [dst_vm:] %s. ' % (src_vm.uuid, dst_vm.uuid))
test_result = False
break
test_util.test_logger('Check result: [Security Group] finishes TCP connection testing from [vm:] %s to other VMs in same SG.' % src_vm.uuid)
print_iptables(src_vm)
return self.judge(test_result)
def check(self):
super(pf_checker, self).check()
test_result = True
try:
test_vip = test_lib.lib_get_vip_by_uuid(self.test_obj.get_vip().uuid)
except:
test_util.test_logger('Check Result: [vip:] %s is not exist' % self.test_obj.get_vip().uuid)
self.test_obj.update()
return self.judge(False)
if not self.test_obj.get_pf_list():
test_util.test_logger('Check Result: [vip:] %s is not attached to any pf.' % self.test_obj.get_vip().uuid)
self.test_obj.update()
return self.judge(False)
vip = self.test_obj.get_vip()
vipIp = vip.ip
all_ports = port_header.all_ports
pf_running_list = self.test_obj.get_pf_list_for_running_vm()
pf_tcp_list, pf_udp_list = self.separate_tcp_udp_list(pf_running_list)
pf_tcp_dict = self.gen_tcp_dict_by_allowed_cidr(pf_tcp_list)
pf_stopped_list = self.test_obj.get_pf_list_for_stopped_vm()
pf_detached_list = self.test_obj.get_detached_pf_list()
vip_l3 = self.test_obj.get_vip().l3NetworkUuid
if not pf_running_list:
# all ports should be denied, since no living vm.
for pf in pf_stopped_list:
test_result = self.check_denied_pf(pf)
if test_result != self.exp_result:
return self.judge(test_result)
for pf in pf_detached_list:
test_result = self.check_denied_pf(pf)
if test_result != self.exp_result:
return self.judge(test_result)
else:
#open TCP ports for living vms
for pf in pf_tcp_list:
target_vm = pf.get_target_vm().vm
vm_l3 = test_lib.lib_get_nic_by_uuid(pf.get_port_forwarding().vmNicUuid).l3NetworkUuid
test_lib.lib_open_vm_listen_ports(target_vm, all_ports, vm_l3)
#calc allowed ports, per allowed_cidr
for allowed_vr_ip, pf_dict_list in pf_tcp_dict.iteritems():
allowed_ports = []
denied_ports = all_ports
#find all pf rules on running vm. These rules are supposed to be connectable, unless they are blocked by target vm's sg.
allowed_ports, denied_ports = \
self.count_pf_allowed_denied_ports(
pf_dict_list,
allowed_ports,
denied_ports)
#although the target_vm might be different, but the denied_vr_vm should be same.
target_vm_nic_uuid = pf_dict_list[0].get_port_forwarding().vmNicUuid
allowed_vr_vm, denied_vr_vm = \
self.get_allowed_denied_vr_vm(allowed_vr_ip, target_vm_nic_uuid)
denied_vr_ip = test_lib.lib_find_vr_pub_ip(denied_vr_vm)
try:
test_lib.lib_check_ports_in_a_command(allowed_vr_vm, allowed_vr_ip, vipIp, allowed_ports, denied_ports, target_vm)
except:
traceback.print_exc(file=sys.stdout)
test_util.test_logger("Catch failure when checking [vip:] %s Port Forwarding TCP [rules] for allowed Cidr: %s from [vm:] %s . " % \
(vip.uuid, allowed_vr_ip, allowed_vr_vm.uuid))
test_result = False
if test_result != self.exp_result:
return self.judge(test_result)
if test_result != self.exp_result:
return self.judge(test_result)
test_util.test_logger("Checking pass for [vip:] %s Port Forwardings TCP rules for allowed Cidr: %s from [vm:] %s " % \
(vip.uuid, allowed_vr_ip, allowed_vr_vm.uuid))
#check denied vr access.
allowed_ports = []
denied_ports = all_ports
#the denied vr might be in other pf rule.
if denied_vr_ip in pf_tcp_dict.keys():
allowed_ports, denied_ports = \
self.count_pf_allowed_denied_ports(
pf_tcp_dict[denied_vr_ip],
allowed_ports,
denied_ports)
try:
test_lib.lib_check_ports_in_a_command(denied_vr_vm, denied_vr_ip, vipIp, allowed_ports, denied_ports, target_vm)
except:
traceback.print_exc(file=sys.stdout)
test_util.test_logger("Catch failure when checking [vip:] %s Port Forwarding TCPs for not allowed Cidr from [vm:] %s" % (vip.uuid, allowed_vr_vm.uuid))
test_result = False
if test_result != self.exp_result:
return self.judge(test_result)
test_util.test_logger("Checking pass for Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s . All ports should be blocked. " % (vip.uuid, allowed_vr_vm.uuid))
if test_result != self.exp_result:
return self.judge(test_result)
#check pf_udp rule existance.
for pf in pf_udp_list:
test_result = test_lib.lib_check_vm_pf_rule_exist_in_iptables(pf.get_port_forwarding())
test_util.test_logger('Check result: [Port Forwarding] %s finishes UDP rule existance testing' % pf.get_port_forwarding().uuid)
return self.judge(test_result)
test_util.test_logger('Check result: [Port Forwarding] finishes [vip:] %s TCP testing.' % vip.uuid)
return self.judge(test_result)
def check(self):
super(eip_checker, self).check()
try:
test_vip = test_lib.lib_get_vip_by_uuid(self.test_obj.get_vip().uuid)
except:
test_util.test_logger('Check Result: [vip:] %s does not exist' % self.test_obj.get_vip().uuid)
return self.judge(False)
vip = self.test_obj.get_vip()
vipIp = vip.ip
eip_obj = self.test_obj.get_eip()
eip = eip_obj.get_eip()
try:
test_eip = test_lib.lib_get_eip_by_uuid(eip.uuid)
except:
test_util.test_logger('Check Result: [eip:] %s does not exist' % eip.uuid)
return self.judge(False)
if eip_obj.state == eip_header.ATTACHED:
self.vm_nic_uuid = eip.vmNicUuid
self.get_all_available_vr_ip()
all_ports = port_header.all_ports
if not self.vm_nic_uuid:
#eip is not attached
self.set_random_denied_vr()
return self.judge(self.check_eip_denied_tcp())
else:
vm_nic = test_lib.lib_get_nic_by_uuid(self.vm_nic_uuid)
#only open ports when VM is running.
if eip_obj.get_target_vm().state == vm_header.RUNNING:
target_vm = eip_obj.get_target_vm().vm
test_lib.lib_open_vm_listen_ports(target_vm, all_ports, vm_nic.l3NetworkUuid)
else:
self.set_random_denied_vr()
return self.judge(self.check_eip_denied_tcp())
#make sure no any SG rule can impact eip testing.
sg_invs = test_lib.lib_get_sg_invs_by_nic_uuid(self.vm_nic_uuid)
test_result = self.exp_result
if not sg_invs:
#If no SG TCP rules for vm_nic, means all ports are connectable
self.set_random_allowed_vr()
self.denied_vr = None
self.denied_vr_ip = None
self.allowed_ports = all_ports
self.denied_ports = []
test_result = self.check_eip_allowed_tcp()
if test_result != self.exp_result:
return self.judge(test_result)
#if no icmp rule, means ping should be successful
test_result = self.check_eip_icmp(True)
if test_result != self.exp_result:
return self.judge(test_result)
else:
self.calc_sg_tcp_ports(sg_invs)
test_result = self.check_eip_allowed_tcp()
if test_result != self.exp_result:
return self.judge(test_result)
test_result = self.check_eip_denied_tcp()
if test_result != self.exp_result:
return self.judge(test_result)
test_util.test_logger('Checker Result for EIP checker: %s' % test_result)
return self.judge(test_result)
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
test_util.test_dsc("Create 3 VMs with vlan VR L3 network and using VR image.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm2)
vm3 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm3)
vm4 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm4)
vm5 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm5)
vm1.check()
vm2.check()
vm3.check()
vm4.check()
vm5.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg2 = test_stub.create_sg()
test_obj_dict.add_sg(sg2.security_group.uuid)
sg3 = test_stub.create_sg()
test_obj_dict.add_sg(sg3.security_group.uuid)
sg4 = test_stub.create_sg()
test_obj_dict.add_sg(sg4.security_group.uuid)
sg5 = test_stub.create_sg()
test_obj_dict.add_sg(sg5.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
vr_vm = test_lib.lib_find_vr_by_vm(vm1.vm)[0]
vr_internal_ip = test_lib.lib_find_vr_private_ip(vr_vm)
vm1_ip = vm1.vm.vmNics[0].ip
vm2_ip = vm2.vm.vmNics[0].ip
vm3_ip = vm3.vm.vmNics[0].ip
vm4_ip = vm4.vm.vmNics[0].ip
vm5_ip = vm5.vm.vmNics[0].ip
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
nic_uuid1 = vm1.vm.vmNics[0].uuid
nic_uuid2 = vm2.vm.vmNics[0].uuid
nic_uuid3 = vm3.vm.vmNics[0].uuid
nic_uuid4 = vm4.vm.vmNics[0].uuid
nic_uuid5 = vm5.vm.vmNics[0].uuid
vm1_nics = (nic_uuid1, vm1)
vm2_nics = (nic_uuid2, vm2)
vm3_nics = (nic_uuid3, vm3)
vm4_nics = (nic_uuid4, vm4)
vm5_nics = (nic_uuid5, vm5)
vm_group1_nics = [vm1_nics, vm2_nics]
vm_group2_nics = [vm3_nics, vm4_nics]
#vms_nics = vm_group1_nics + vm_group1_nics + [vm5_nics]
vms_nics = vm_group1_nics + vm_group2_nics
test_util.test_dsc("Open some ports in 5 VMs for testing.")
for vm in vm1,vm2,vm3,vm4,vm5:
test_lib.lib_open_vm_listen_ports(vm.vm, test_stub.target_ports)
rule_ai1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.INGRESS, vr_internal_ip)
rule_ae1 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.EGRESS, vm5_ip)
rule_v3i_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.INGRESS, vm3_ip)
rule_v3e_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.EGRESS, vm3_ip)
rule_v3e_3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP, inventory.EGRESS, vm3_ip)
rule_v3i_3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP, inventory.INGRESS, vm3_ip)
rule_v4i_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.INGRESS, vm4_ip)
rule_v4e_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.EGRESS, vm4_ip)
rule_v1i_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.INGRESS, vm1_ip)
rule_v1e_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.EGRESS, vm1_ip)
rule_v2i_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.INGRESS, vm2_ip)
rule_v2e_2 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.TCP, inventory.EGRESS, vm2_ip)
rule_v1i_3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP, inventory.INGRESS, vm1_ip)
rule_v1e_3 = test_lib.lib_gen_sg_rule(Port.rule3_ports, inventory.TCP, inventory.EGRESS, vm1_ip)
sg1.add_rule([rule_ai1, rule_ae1])
sg2.add_rule([rule_v3i_2, rule_v4i_2, rule_v3e_2, rule_v4e_2])
sg3.add_rule([rule_v1i_2, rule_v2i_2, rule_v1e_2, rule_v2e_2])
sg4.add_rule([rule_v1i_3, rule_v1e_3])
sg5.add_rule([rule_v3e_3, rule_v3i_3])
sg_vm.add_stub_vm(l3_uuid, vm5)
sg_vm.check()
##add all vm1 vm2 vm3 vm4 vm5 to sg1.
test_util.test_dsc("Add all VMs to security group 1.")
test_util.test_dsc("Allowed ingress and egress [ports:] %s" % test_stub.rule1_ports)
sg_vm.attach(sg1, vms_nics)
#add vm1 vm2 to SG2.
test_util.test_dsc("Add VM1 and VM2 to SG2.")
test_util.test_dsc("Allowed ingress [ports:] %s from VM3 and VM4" % test_stub.rule2_ports)
test_util.test_dsc("Allowed egress [ports:] %s to VM3 and VM4" % test_stub.rule2_ports)
test_util.test_dsc("Since VM1/VM2 are in same SG group, VM1/VM2 can connect rule2 ports :%s each other." % test_stub.rule2_ports)
sg_vm.attach(sg2, vm_group1_nics)
sg_vm.check()
test_util.test_dsc("Since VM3/VM4 didn't open rule2 ports for VM1/VM2, VM1/VM2 can't connect to VM3/VM4 rule2 ports :%s." % test_stub.rule2_ports)
test_lib.lib_check_vm_ports(vm3.vm, vm1.vm, test_stub.rule1_ports, (test_stub.rule2_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports + test_stub.denied_ports))
test_lib.lib_check_vm_ports(vm3.vm, vm2.vm, test_stub.rule1_ports, (test_stub.rule2_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports + test_stub.denied_ports))
test_lib.lib_check_vm_ports(vm4.vm, vm1.vm, test_stub.rule1_ports, (test_stub.rule2_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports + test_stub.denied_ports))
test_lib.lib_check_vm_ports(vm4.vm, vm2.vm, test_stub.rule1_ports, (test_stub.rule2_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports + test_stub.denied_ports))
test_lib.lib_check_vm_group_ports(vm1.vm, [vm3.vm, vm4.vm], test_stub.rule1_ports, (test_stub.rule2_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports + test_stub.denied_ports))
test_util.test_dsc("Add rule2 ports to VM3 and VM4.")
test_util.test_dsc("Allowed ingress [ports:] %s from VM1/VM2 to VM3/VM4" % (test_stub.rule1_ports + test_stub.rule2_ports))
test_util.test_dsc("Allowed egress [ports:] %s to VM1 and VM2" % test_stub.rule2_ports)
sg_vm.attach(sg3, vm_group2_nics)
test_lib.lib_check_vm_group_ports(vm4.vm, [vm1.vm, vm2.vm], (test_stub.rule1_ports + test_stub.rule2_ports), (test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports + test_stub.denied_ports))
test_lib.lib_check_vm_group_ports(vm2.vm, [vm3.vm, vm4.vm], (test_stub.rule1_ports + test_stub.rule2_ports), (test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports + test_stub.denied_ports))
sg_vm.check()
test_util.test_dsc("Add VM3 and VM4 to SG4.")
test_util.test_dsc("Allowed ingress/egress [ports:] %s for VM1" % test_stub.rule3_ports)
test_util.test_dsc("But due to VM1 didn't open related ports, connection will be denied for [ports:] %s from VM1 to VM3 " % test_stub.rule3_ports)
test_util.test_dsc("The enabled connections for VM1/VM3 are still [ports:] %s " % (test_stub.rule1_ports + test_stub.rule2_ports))
sg_vm.attach(sg4, vm_group2_nics)
test_lib.lib_check_vm_ports(vm1.vm, vm3.vm, (test_stub.rule1_ports + test_stub.rule2_ports), (test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports + test_stub.denied_ports))
test_util.test_dsc("As VM3/VM4 are in same SG group, rule1+rule2+rule3 [ports:] %s are opened between VM4 and VM3 " % (test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports))
sg_vm.check()
test_util.test_dsc("Add VM1 and VM2 to SG5.")
test_util.test_dsc("Allowed ingress/egress [ports:] %s for VM3" % test_stub.rule3_ports)
test_util.test_dsc("Connection between VM1 and VM3, between VM1 and VM2, between VM3 and VM4 are enabled for [ports:] %s" % (test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports))
sg_vm.attach(sg5, vm_group1_nics)
test_lib.lib_check_vm_ports(vm1.vm, vm3.vm, (test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports), (test_stub.rule4_ports + test_stub.rule5_ports + test_stub.denied_ports))
test_lib.lib_check_vm_ports(vm3.vm, vm1.vm, (test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports), (test_stub.rule4_ports + test_stub.rule5_ports + test_stub.denied_ports))
test_lib.lib_check_vm_ports(vm4.vm, vm3.vm, (test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports), (test_stub.rule4_ports + test_stub.rule5_ports + test_stub.denied_ports))
test_util.test_dsc("Connection from VM2 to VM3 are enabled for [ports:]" % (test_stub.rule1_ports + test_stub.rule2_ports + test_stub.rule3_ports))
test_lib.lib_check_vm_ports(vm2.vm, vm3.vm, (test_stub.rule1_ports + test_stub.rule2_ports), (test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports + test_stub.denied_ports))
test_lib.lib_check_vm_ports(vm4.vm, vm2.vm, (test_stub.rule1_ports + test_stub.rule2_ports), (test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports + test_stub.denied_ports))
#test_util.test_dsc("VM5 was not granted with rule2 and rule3 ports, so only rule1 [ports:] %s are allowned to connect to other VMs." % test_stub.rule1_ports)
#test_lib.lib_check_vm_ports(vm5.vm, vm3.vm, test_stub.rule1_ports, (test_stub.rule2_ports + test_stub.rule3_ports + test_stub.rule4_ports + test_stub.rule5_ports + test_stub.denied_ports))
#clean up.
for sg in sg1,sg2,sg3,sg4,sg5:
sg_vm.delete_sg(sg)
test_obj_dict.rm_sg(sg.security_group.uuid)
for vm in vm1,vm2,vm3,vm4,vm5:
vm.destroy()
test_obj_dict.rm_vm(vm)
test_util.test_pass('Security Group Vlan VirtualRouter VM complex testing with 2 Groups 5 VMs Test Success')
def check(self):
test_util.test_dsc('Check TCP access between SG VMs.')
super(zstack_vcenter_sg_tcp_internal_vms_checker, self).check()
nic = test_lib.lib_get_nic_by_uuid(self.nic_uuid)
l3_uuid = nic.l3NetworkUuid
if not 'DHCP' in test_lib.lib_get_l3_service_type(l3_uuid):
test_util.test_logger("Skip SG test for [l3:] %s, since it doesn't provide DHCP service" % l3_uuid)
return self.judge(self.exp_result)
test_result = True
all_ports = port_header.all_ports
tcp_egress_rules = self.test_obj.get_nic_tcp_egress_rules(self.nic_uuid)
src_all_allowed_egress_ports = get_all_ports(tcp_egress_rules)
if not src_all_allowed_egress_ports:
src_all_allowed_egress_ports = list(all_ports)
#src_all_allowed_ingress_ports = get_all_ports(self.test_obj.get_nic_tcp_ingress_rules(self.nic_uuid))
#if not src_all_allowed_ingress_ports:
# src_all_allowed_ingress_ports = list(all_ports)
nic_sg_list = self.test_obj.get_sg_list_by_nic(self.nic_uuid)
src_vm = test_lib.lib_get_vm_by_nic(self.nic_uuid)
#save all shared sg for self.nic_uuid, the key was the other nic_uuid, who shared sg with self.nic_uuid
nic_shared_sg_dict = {}
#find all other nic shared with same sg.
for sg in nic_sg_list:
same_l3_nic_list = list(sg.get_attached_nics_by_l3(l3_uuid))
if len(same_l3_nic_list) == 1:
test_util.test_logger("Skip [SG:] %s, since there is not 2nd VM is attached in this SG." % sg.security_group.uuid)
continue
if self.nic_uuid in same_l3_nic_list:
same_l3_nic_list.remove(self.nic_uuid)
for nic_uuid in same_l3_nic_list:
if not nic_shared_sg_dict.has_key(nic_uuid):
nic_shared_sg_dict[nic_uuid] = [sg]
elif not sg in nic_shared_sg_dict[nic_uuid]:
nic_shared_sg_dict[nic_uuid].append(sg)
#for each shared sg nic to test.
for nic_uuid in nic_shared_sg_dict.keys():
dst_vm = test_lib.lib_get_vm_by_nic(nic_uuid)
if dst_vm.state != inventory.RUNNING:
test_util.test_logger("Skip [vm:] %s, since it is not running." % dst_vm.uuid)
continue
allowed_ingress_ports = []
allowed_egress_ports = []
#find out all shared SG ingress ports and egress ports
for sg in nic_shared_sg_dict[nic_uuid]:
sg_allowed_ingress_ports = \
get_all_ports(sg.get_tcp_ingress_all_rule())
for port in sg_allowed_ingress_ports:
if not port in allowed_ingress_ports:
allowed_ingress_ports.append(port)
sg_allowed_egress_ports = \
get_all_ports(sg.get_tcp_egress_all_rule())
if not sg_allowed_egress_ports:
sg_allowed_egress_ports = list(all_ports)
for port in sg_allowed_egress_ports:
if not port in allowed_egress_ports:
allowed_egress_ports.append(port)
#find out all not shared SG ingress and egress ports for target
src_vm_allowedCidr = '%s/32' % test_lib.lib_get_nic_by_uuid(self.nic_uuid).ip
dst_vm_allowedCidr = '%s/32' % test_lib.lib_get_nic_by_uuid(nic_uuid).ip
#query all other left SG rules, which might not shard between src_vm
#and dst_vm, but setting specifically for these two vms.
for in_port in get_all_ports(self.test_obj.get_nic_tcp_ingress_rule_by_addr(nic_uuid, src_vm_allowedCidr)):
if not in_port in allowed_ingress_ports:
allowed_ingress_ports.append(in_port)
for out_port in get_all_ports(self.test_obj.get_nic_tcp_egress_rule_by_addr(self.nic_uuid, dst_vm_allowedCidr)):
if not out_port in allowed_egress_ports:
allowed_egress_ports.append(out_port)
dst_all_allowed_ingress_ports = get_all_ports(self.test_obj.get_nic_tcp_ingress_rules(nic_uuid))
if not dst_all_allowed_ingress_ports:
test_util.test_logger('Destinated VM nic: %s does not allow any ingress rule, since it does not set any ingress rule' % nic_uuid)
continue
#if (not allowed_ingress_ports) \
# and (not dst_all_allowed_ingress_ports) \
# and (not self.test_obj.get_nic_udp_ingress_rules(nic_uuid)) \
# and (not self.test_obj.get_nic_icmp_ingress_rules(nic_uuid)):
#
# allowed_ingress_ports = list(all_ports)
#if not find suitable port, means all egress opened.
if (not src_all_allowed_egress_ports) \
and (not self.test_obj.get_nic_udp_egress_rules(nic_uuid)) \
and (not self.test_obj.get_nic_icmp_egress_rules(nic_uuid)):
allowed_egress_ports = list(all_ports)
shared_ports = get_shared_ports(allowed_egress_ports, \
allowed_ingress_ports)
not_shared_ports = list_ops.list_minus(all_ports, shared_ports)
test_lib.lib_open_vm_listen_ports(dst_vm, all_ports, l3_uuid)
try:
test_lib.lib_check_vm_ports(src_vm, dst_vm, shared_ports, \
not_shared_ports)
except:
traceback.print_exc(file=sys.stdout)
test_util.test_logger('Check result: [Security Group] meets failure when checking TCP Egress rule between [src_vm:] %s and [dst_vm:] %s. ' % (src_vm.uuid, dst_vm.uuid))
test_result = False
break
test_util.test_logger('Check result: [Security Group] finishes TCP connection testing from [vm:] %s to other VMs in same SG.' % src_vm.uuid)
print_iptables(src_vm)
return self.judge(test_result)
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
test_util.test_dsc(
"Create 3 VMs with vlan VR L3 network and using VR image.")
vm1 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm1)
vm1_ip = vm1.vm.vmNics[0].ip
vm2 = test_stub.create_sg_vm()
test_obj_dict.add_vm(vm2)
vm2_ip = vm2.vm.vmNics[0].ip
vm1.check()
vm2.check()
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg()
test_obj_dict.add_sg(sg1.security_group.uuid)
sg2 = test_stub.create_sg()
test_obj_dict.add_sg(sg2.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
sg_vm.check()
l3_uuid = vm1.vm.vmNics[0].l3NetworkUuid
vm1_nic_uuid = vm1.vm.vmNics[0].uuid
vm2_nic_uuid = vm2.vm.vmNics[0].uuid
#Attach security group to l3 network
net_ops.attach_security_group_to_l3(sg1.security_group.uuid, l3_uuid)
net_ops.attach_security_group_to_l3(sg2.security_group.uuid, l3_uuid)
#Add vm1 nic to security group
sg_vm.attach(sg1, [(vm1_nic_uuid, vm1)])
sg_vm.check()
sg_vm.attach(sg2, [(vm2_nic_uuid, vm2)])
sg_vm.check()
rule1_1 = test_lib.lib_gen_sg_rule(Port.icmp_ports, inventory.ICMP,
inventory.INGRESS, vm2_ip)
rule1_2 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP,
inventory.INGRESS, vm2_ip)
rule1_3 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.UDP,
inventory.INGRESS, vm2_ip)
sg1.add_rule([rule1_1, rule1_2, rule1_3], [sg2.security_group.uuid])
sg_vm.check()
sg_vm.add_stub_vm(l3_uuid, vm2)
sg_vm.check()
sg_vm.delete_stub_vm(l3_uuid)
rule2_1 = test_lib.lib_gen_sg_rule(Port.icmp_ports, inventory.ICMP,
inventory.INGRESS, vm1_ip)
rule2_2 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP,
inventory.INGRESS, vm1_ip)
rule2_3 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.UDP,
inventory.INGRESS, vm1_ip)
sg2.add_rule([rule2_1, rule2_2, rule2_3], [sg1.security_group.uuid])
sg_vm.check()
sg_vm.add_stub_vm(l3_uuid, vm1)
#sg_vm.check()
try:
test_lib.lib_open_vm_listen_ports(vm1.vm,
Port.ports_range_dict['rule1_ports'],
l3_uuid)
test_lib.lib_open_vm_listen_ports(vm2.vm,
Port.ports_range_dict['rule1_ports'],
l3_uuid)
test_lib.lib_check_vm_ports_in_a_command(
vm1.vm, vm2.vm, Port.ports_range_dict['rule1_ports'], [])
except:
test_util.test_fail(
'Security Group Meets Failure When Checking Ingress Rule. ')
#Cleanup
sg_vm.delete_sg(sg2)
test_obj_dict.rm_sg(sg2.security_group.uuid)
sg_vm.delete_sg(sg1)
test_obj_dict.rm_sg(sg1.security_group.uuid)
sg_vm.check()
vm1.destroy()
test_obj_dict.rm_vm(vm1)
vm2.destroy()
test_obj_dict.rm_vm(vm2)
test_util.test_pass(
'Security Group Vlan VirtualRouter 2 VMs Group Ingress Test Success')
def test():
'''
Test image requirements:
1. have nc to check the network port
2. have "nc" to open any port
3. it doesn't include a default firewall
VR image is a good candiate to be the guest image.
'''
test_util.test_dsc("Create 3 VMs with vlan VR L3 network and using VR image.")
image_name = os.environ.get('ipv6ImageName')
ipv4_net_uuid = test_lib.lib_get_l3_by_name(os.environ.get('l3PublicNetworkName')).uuid
ipv6_net_uuid = test_lib.lib_get_l3_by_name(os.environ.get('l3PublicNetworkName1')).uuid
print "ipv4_net_uuid is : %s , ipv6_net_uuid is : %s" %(ipv4_net_uuid, ipv6_net_uuid)
vm1 = test_stub.create_vm(l3_name = os.environ.get('l3PublicNetworkName'), vm_name = 'vm_1 IPv6 2 stack test', system_tags = ["dualStackNic::%s::%s" %(ipv4_net_uuid, ipv6_net_uuid)], image_name = image_name)
test_obj_dict.add_vm(vm1)
vm2 = test_stub.create_vm(l3_name = os.environ.get('l3PublicNetworkName'), vm_name = 'vm_2 IPv6 2 stack test', system_tags = ["dualStackNic::%s::%s" %(ipv4_net_uuid, ipv6_net_uuid)], image_name = image_name)
test_obj_dict.add_vm(vm2)
time.sleep(120) #waiting for vm bootup
vm1_ip1 = vm1.get_vm().vmNics[0].usedIps[0].ip
vm1_ip2 = vm1.get_vm().vmNics[0].usedIps[1].ip
vm2_ip1 = vm2.get_vm().vmNics[0].usedIps[0].ip
vm2_ip2 = vm2.get_vm().vmNics[0].usedIps[1].ip
if "172.20" in vm1_ip1:
vm1_ipv4 = vm1_ip1
vm1_ipv6 = vm1_ip2
else:
vm1_ipv4 = vm1_ip2
vm1_ipv6 = vm1_ip1
if "172.20" in vm2_ip1:
vm2_ipv4 = vm2_ip1
vm2_ipv6 = vm2_ip2
else:
vm2_ipv4 = vm2_ip2
vm2_ipv6 = vm2_ip1
print "vm1_ipv6 : %s, vm1_ipv4: %s, vm2_ipv6 :%s,vm2_ipv4 :%s, ipv4 :%s, ipv6 :%s." %(vm1_ipv6, vm1_ipv4, vm2_ipv6, vm2_ipv4, vm2_ipv4, vm2_ipv6)
cmd = "ping6 -c 4 %s" %(vm2_ipv6)
(retcode, output, erroutput) = ssh.execute(cmd, vm1_ipv4, "root", "password", True, 22)
cmd1 = "ping -c 4 %s" %(vm2_ipv4)
(retcode1, output1, erroutput1) = ssh.execute(cmd1, vm1_ipv4, "root", "password", True, 22)
print "retcode is: %s; output is : %s.; erroutput is: %s" %(retcode, output , erroutput)
print "retcode1 is: %s; output1 is : %s.; erroutput1 is: %s" %(retcode1, output1 , erroutput1)
test_util.test_dsc("Create security groups.")
sg1 = test_stub.create_sg(ipVersion = 6)
test_obj_dict.add_sg(sg1.security_group.uuid)
sg2 = test_stub.create_sg(ipVersion = 6)
test_obj_dict.add_sg(sg2.security_group.uuid)
sg_vm = test_sg_vm_header.ZstackTestSgVm()
l3_uuid = ipv6_net_uuid
vm1_nic_uuid = vm1.get_vm().vmNics[0].uuid
vm2_nic_uuid = vm2.get_vm().vmNics[0].uuid
print "vm1_nic_uuid :%s, vm2_nic_uuid :%s ."%(vm1_nic_uuid, vm2_nic_uuid)
#Attach security group to l3 network
net_ops.attach_security_group_to_l3(sg1.security_group.uuid, l3_uuid)
net_ops.attach_security_group_to_l3(sg2.security_group.uuid, l3_uuid)
#Add vm1 nic to security group
sg_vm.attach(sg1, [(vm1_nic_uuid, vm1)], ipv6 = "ipv6")
sg_vm.attach(sg2, [(vm2_nic_uuid, vm2)], ipv6 = "ipv6")
rule1_1 = test_lib.lib_gen_sg_rule(Port.icmp_ports, inventory.ICMP, inventory.INGRESS, vm2_ipv6, ipVersion = 6)
rule1_2 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.INGRESS, vm2_ipv6, ipVersion = 6)
rule1_3 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.UDP, inventory.INGRESS, vm2_ipv6, ipVersion = 6)
sg1.add_rule([rule1_1,rule1_2,rule1_3], [sg2.security_group.uuid])
sg_vm.add_stub_vm(l3_uuid, vm2)
sg_vm.delete_stub_vm(l3_uuid)
rule2_1 = test_lib.lib_gen_sg_rule(Port.icmp_ports, inventory.ICMP, inventory.INGRESS, vm1_ipv6, ipVersion = 6)
rule2_2 = test_lib.lib_gen_sg_rule(Port.rule1_ports, inventory.TCP, inventory.INGRESS, vm1_ipv6, ipVersion = 6)
rule2_3 = test_lib.lib_gen_sg_rule(Port.rule2_ports, inventory.UDP, inventory.INGRESS, vm1_ipv6, ipVersion = 6)
sg2.add_rule([rule2_1,rule2_2,rule2_3], [sg1.security_group.uuid])
sg_vm.add_stub_vm(l3_uuid, vm1)
try:
test_lib.lib_open_vm_listen_ports(vm1.vm, Port.ports_range_dict['rule1_ports'], l3_uuid, target_ip = vm1_ipv4, target_ipv6 = vm1_ipv6)
test_lib.lib_open_vm_listen_ports(vm2.vm, Port.ports_range_dict['rule1_ports'], l3_uuid, target_ip = vm2_ipv4, target_ipv6 = vm2_ipv6)
test_lib.lib_check_vm_ports_in_a_command(vm1.vm, vm2.vm, Port.ports_range_dict['rule1_ports'], [], target_ipv6 = vm2_ipv6)
except:
test_util.test_fail('Security Group Meets Failure When Checking Ingress Rule. ')
#Cleanup
sg_vm.delete_sg(sg2)
test_obj_dict.rm_sg(sg2.security_group.uuid)
sg_vm.delete_sg(sg1)
test_obj_dict.rm_sg(sg1.security_group.uuid)
sg_vm.check()
vm1.destroy()
test_obj_dict.rm_vm(vm1)
vm2.destroy()
test_obj_dict.rm_vm(vm2)
test_util.test_pass('Security Group Vlan VirtualRouter 2 VMs Group Ingress Test Success')
